https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16695
Bug ID: 16695
Summary: [oss-fuzz] #24099 Stack-buffer-overflow in
dissect_xcsl_tcp_heur
Product: Wireshark
Version: Git
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: lom...@gmail.com
Target Milestone: ---
Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-1624-g45e9da9b6710)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with
Lua
5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.4.
Running on Linux 5.3.0-61-generic, with Intel(R) Core(TM) i7-4800MQ CPU @
2.70GHz (with SSE4.2), with 15918 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=it_IT.UTF-8, LC_TIME=it_IT.UTF-8,
LC_COLLATE=en_US.UTF-8, LC_MONETARY=it_IT.UTF-8, LC_MESSAGES=en_US.UTF-8,
LC_PAPER=it_IT.UTF-8, LC_NAME=it_IT.UTF-8, LC_ADDRESS=it_IT.UTF-8,
LC_TELEPHONE=it_IT.UTF-8, LC_MEASUREMENT=it_IT.UTF-8,
LC_IDENTIFICATION=it_IT.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18,
with Gcrypt 1.8.1, with brotli 1.0.4, with zlib 1.2.11, binary plugins
supported
(0 loaded).
Built using clang Clang 10.0.0.
--
A new bug has been found by oss-fuzz.
#0 0x1d4a09c in get_next_item
/src/wireshark/epan/dissectors/packet-xcsl.c:122:14
#1 0x1d4a09c in dissect_xcsl_tcp
/src/wireshark/epan/dissectors/packet-xcsl.c:169:15
#2 0x1d4a09c in dissect_xcsl_tcp_heur
/src/wireshark/epan/dissectors/packet-xcsl.c:296:13
#3 0x6422b1 in dissector_try_heuristic /src/wireshark/epan/packet.c:2816:9
#4 0x1a47ec5 in decode_tcp_ports
/src/wireshark/epan/dissectors/packet-tcp.c:5910:13
#5 0x1a4ceee in process_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:5965:13
#6 0x1a48dc0 in dissect_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:6047:9
#7 0x1a573c2 in dissect_tcp /src/wireshark/epan/dissectors/packet-tcp.c:0
#8 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
#9 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
#10 0x63bb8d in dissector_try_uint_new /src/wireshark/epan/packet.c:1405:8
#11 0x11ada87 in ip_try_dissect
/src/wireshark/epan/dissectors/packet-ip.c:1827:7
#12 0x11b16bc in dissect_ip_v4
/src/wireshark/epan/dissectors/packet-ip.c:2311:10
#13 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
#14 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
#15 0x645311 in call_dissector_only /src/wireshark/epan/packet.c:3222:8
#16 0x645311 in call_all_postdissectors /src/wireshark/epan/packet.c:3597:3
#17 0xf296c9 in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:870:5
#18 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
#19 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
#20 0x638a0b in call_dissector_only /src/wireshark/epan/packet.c:3222:8
#21 0x638a0b in call_dissector_with_data
/src/wireshark/epan/packet.c:3235:8
#22 0x6381a0 in dissect_record /src/wireshark/epan/packet.c:586:3
#23 0x62be37 in epan_dissect_run /src/wireshark/epan/epan.c:585:2
#24 0x4cdba9 in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
#25 0x27f336e in ExecuteFilesOnyByOne
/src/libfuzzer/afl/afl_driver.cpp:217:5
#26 0x27f336e in main /src/libfuzzer/afl/afl_driver.cpp:254:12
#27 0x7f5022d4082f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
#28 0x4207a8 in _start
It's a stack buffer overflow
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe